Configuring Firewall Load Balancing

This chapter describes how to configure firewall load balancing on your Cisco 4700 Series Application Control Engine (ACE) appliance. Firewall load balancing allows you to scale firewall protection by distributing traffic across multiple firewalls on a per-connection basis. All packets belonging to a particular connection must go through the same firewall. The firewall then allows or denies transmission of individual packets across its interfaces.

Firewall Overview

A firewall forms a physical barrier between two parts of a network, for example, the Internet and an intranet. When a firewall accepts a packet from one side (the Internet), it sends the packet through to the other side (the intranet). A firewall can modify a packet before passing it through or send it through unaltered. When a firewall rejects a packet, it typically discards the packet and logs the discarded packet as an event.

After a session is established and a flow of packets begins, a firewall can monitor each packet in the flow or allow the flow to continue unmonitored, depending on the policies that you configure on that firewall.

Firewall Types

The two basic types of firewalls are as follows:

•Standard firewalls

•Stealth firewalls

Standard firewalls have a presence on the network. You assign IP addresses to the firewalls, which allows other devices on the network to see and address them as devices. Each firewall has an IP address on the VLANs configured on both sides of the firewall.

Stealth firewalls have no presence on the network. You do not assign IP addresses to the firewalls, which prevents other devices on the network from seeing or addressing them. Instead, you configure IP addresses on the VLANs on both sides of the firewall. To the network, a stealth firewall is part of the wire.

Both firewall types do the following tasks:

•Examine traffic moving in both directions (between the protected and the unprotected sides of the network)

•Accept or reject packets based on user-defined policies

How the ACE Distributes Traffic to Firewalls

The ACE load balances traffic to devices configured in server farms. These devices can be firewalls, caches, servers, or any IP-addressable object. For more information about server farms, see the "Configuring a Server Farm" section in Chapter 2, Configuring Real Servers and Server Farms. When the ACE load balances traffic to firewalls, it performs the same function that it performs when it load balances Layer 3 traffic to real servers in a server farm.

The ACE uses load-balancing algorithms or predictors to determine how to balance the traffic among the devices configured in the server farms, independent of the device type. For FWLB, we recommend that you use only the hash address source and the hash address destination predictors. Using any other predictor with FWLB may fail and block traffic, especially for applications that have separate control and data channels, for example, FTP.

Supported Firewall Configurations

The ACE can load balance traffic to both standard and stealth firewalls.

For standard firewalls, a single ACE or a pair of ACE appliances load balances traffic among firewalls that contain unique IP addresses in a manner similar to how the ACE load balances traffic among servers in a server farm (see Figure 6-1).

In Figure 6-1, traffic moves through the firewalls and the firewalls filter the traffic in both directions. For traffic that originates on the Internet, ACE A load balances the traffic to the firewalls in the SF_INSEC server farm. For traffic that originates on the intranet, ACE B load balances the traffic to the firewalls in server farm SF_SEC. You configure the firewalls so that the return traffic flows through the same firewall as the original traffic.

Figure 6-1 Standard Firewall Configuration

For stealth firewalls, an ACE load balances traffic among interfaces with unique IP addresses in different ACEs that provides paths through the firewalls (Figure 6-2). You configure a stealth firewall so that all traffic moving in both directions across a particular VLAN moves through the same firewall.

Figure 6-2 Stealth Firewall Configuration (Dual ACEs Only)

In Figure 6-2, traffic flows through the firewalls and the firewalls filter the traffic in both directions. On the path to the intranet, ACE A balances traffic across VLANs 101, 102, and 103 through the firewalls to ACE B. On the path to the Internet, ACE B balances traffic across VLANs 201, 202, and 203 through the firewalls to ACE A. Each ACE uses the IP addresses configured on the other ACE as targets for the load-balancing process.

Configuring Standard Firewall Load Balancing

This section describes how to configure firewall load balancing for standard firewalls. It contains the following topics:

Note For information about configuring the firewall devices in your network, refer to the documentation included with your firewall product.

Standard FWLB Configuration Overview

In this standard FWLB configuration example (see Figure 6-1), you configure three firewalls (FW1, FW2, and FW3) between two ACEs (ACE A and ACE B). (You can also configure standard FWLB using a single ACE.) Traffic enters and exits the firewalls through shared VLANs on either side of the firewalls (VLAN 101 on the insecure side and VLAN 201 on the secure side). You assign unique IP addresses to each firewall configured as a real server in a server farm on each shared VLAN.

Other VLANs provide connectivity to the following:

•Internet (VLAN 100)

•Internal network (VLAN 200)

•Internal server farm (VLAN 20)

Standard FWLB Configuration Quick Starts

This section provides quick start tables that include step-by-step instructions for configuring standard FWLB on two ACE appliances. You can also configure standard FWLB on a single ACE. This section includes the following topics:

Standard FWLB Configuration Quick Start for ACE A

Table 6-1 provides a quick overview of the steps required to configure standard FWLB on ACE A (see Figure 6-1). Each step includes the CLI command required to complete the task.

Table 6-1 Standard FWLB Configuration Quick Start for ACE A

Task and Command Example

1. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, change to, or directly log in to, the correct context.

host1/Admin# changeto C1

host1/C1#

The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

2. Enter configuration mode.

host1/Admin# config

Enter configuration commands, one per line. End with CNTL/Z

host1/Admin(config)#

3. Configure an access control list (ACL) to allow traffic. You can modify the ACL to suit your application needs. For more information about configuring ACLs, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

host1/Admin(config)# access-list ACL1 line 10 extended permit ip
any any

5. Configure a server farm to handle connections originating from the insecure side of the firewalls (Internet). The ACE selects a firewall based on source IP address using the hash address source predictor. For more information about configuring server farms, see Chapter 2, Configuring Real Servers and Server Farms.

9. Configure an interface that the ACE uses to receive traffic from the Internet and to send traffic that originates from the intranet to the Internet. Apply the ACL (ACL1) and the Layer 3 policy (POL_INSEC) to the interface. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 100

host1/Admin(config-if)# ip address 100.100.1.100 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# service-policy input POL_INSEC

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# exit

10. Configure an interface on the insecure side of the firewalls. The ACE uses this interface to load balance traffic to the firewalls and to receive traffic that originates from the intranet. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 101

host1/Admin(config-if)# ip address 100.101.1.101 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# mac-sticky enable

host1/Admin(config-if)# service-policy input POL_INSEC

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# Ctrl-z

11. Use the following show commands to verify your FWLB configuration:

host1/Admin# show running-config access-list

host1/Admin# show running-config class-map

host1/Admin# show running-config interface

host1/Admin# show running-config policy-map

host1/Admin# show running-config rserver

host1/Admin# show running-config serverfarm

12. (Optional) Save your configuration changes to flash memory.

host1/Admin# copy running-config startup-config

Standard FWLB Configuration Quick Start for ACE B

Table 6-2 provides a quick overview of the steps required to configure standard FWLB on ACE B (see Figure 6-1). Each step includes the CLI command and a reference to the procedure required to complete the task.

Table 6-2 Standard FWLB Configuration Quick Start for ACE B

Task and Command Example

1. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, change to, or directly log in to, the correct context.

host1/Admin# changeto C1

host1/C1#

The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

2. Enter configuration mode.

host1/Admin# config

Enter configuration commands, one per line. End with CNTL/Z

host1/Admin(config)#

3. Configure an ACL to allow traffic. You can modify the ACL to suit your application needs. For more infomation about configuring ACLs, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

host1/Admin(config)# access-list ACL1 line 10 extended permit ip
any any

5. Configure a server farm to handle connections that originate from the secure side of the firewall (intranet). In this case, the ACE selects a firewall based on the destination IP address using the hash address destination predictor. This predictor allows the ACE to select the same firewall for return flows and buddy connections. For example, you want both the FTP control and data channels to pass through the same firewall. For more information about configuring server farms, see Chapter 2, Configuring Real Servers and Server Farms.

13. Configure a Layer 3 policy map and associate the Layer 7 policy map (LB_FW_SEC) and the Layer 3 class map (FW_SEC_VIP) with it. Enable the VIP for load balancing. This step completes the policy that load balances any request that originates on the secure side of the firewalls and is destined for the Internet. For more information about configuring traffic policies for SLB, see Chapter 3, Configuring Traffic Policies for Server Load Balancing.

host1/Admin(config)# policy-map multi-match POL_SEC

host1/Admin(config-pmap)# class FW_SEC_VIP

host1/Admin(config-pmap-c)# loadbalance vip inservice

host1/Admin(config-pmap-c)# loadbalance LB_FW_SEC

host1/Admin(config-pmap-c)# exit

host1/Admin(config-pmap)# exit

14. Configure an interface on the secure side of the firewalls for traffic that originates from the Internet and is passing through the firewalls. The ACE uses this interface to catch traffic from the firewalls, load balance it to the HTTP server farm, and route it to the remote host. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 201

host1/Admin(config-if)# ip address 100.201.1.201 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# mac-sticky enable

host1/Admin(config-if)# service-policy input POL_SEC_20

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# exit

15. Configure an interface on the secure side of the firewalls for traffic that originates from the HTTP server farm on VLAN 20. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 20

host1/Admin(config-if)# ip address 20.1.1.20 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# service-policy input POL_SEC

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# exit

16. Configure an interface on the secure side of the firewalls for traffic that originates from the remote host on VLAN 200. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 200

host1/Admin(config-if)# ip address 200.1.1.200 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# service-policy input POL_SEC

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# Ctrl-z

17. Use the following show commands to verify your FWLB configuration:

host1/Admin# show running-config access-list

host1/Admin# show running-config class-map

host1/Admin# show running-config interface

host1/Admin# show running-config policy-map

host1/Admin# show running-config rserver

host1/Admin# show running-config serverfarm

18. (Optional) Save your configuration changes to flash memory.

host1/Admin# copy running-config startup-config

Configuring Stealth Firewall Load Balancing

This section describes how to configure stealth FWLB. It contains the following topics:

Note For information about configuring the firewall devices in your network, refer to the documentation included with your firewall product.

Stealth Firewall Load-Balancing Configuration Overview

Note In a stealth FWLB configuration, you must configure two ACE appliances.

In this stealth FWLB configuration example (see Figure 6-2), ACE A and ACE B load balance traffic through three firewalls. Each firewall configured as a real server in a server farm connects to two different VLANs, one on the insecure side and one on the secure side of the firewall. Stealth firewalls do not have IP addresses on VLANs. Instead, you configure IP addresses on each ACE interface to which a firewall connects.

On the path from the Internet to the intranet, traffic enters the insecure side of the firewalls through separate VLANs (VLAN 101,VLAN 102, and VLAN 103) and exits the secure side of the firewalls through separate VLANs (VLAN 201, VLAN 202, and VLAN 203). On the path from the intranet to the Internet, the flow is reversed. Other VLANs provide connectivity to the following locations:

•Internet (VLAN 100)

•Remote host(VLAN 200)

•Intranet server farm (VLAN 20)

Stealth Firewall Load-Balancing Configuration Quick Starts

This section provides quick start tables that include step-by-step instructions about how to configure stealth FWLB on two separate ACE appliances. This section includes the following topics:

Stealth FWLB Configuration Quick Start for ACE A

Table 6-3 provides a quick overview of the steps required to configure stealth FWLB on ACE A (insecure side). Each step includes the CLI command required to complete the task.

Table 6-3 Stealth FWLB Configuration Quick Start for ACE A

Task and Command Example

1. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, change to, or directly log in to, the correct context.

host1/Admin# changeto C1

host1/C1#

The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

2. Enter configuration mode.

host1/Admin# config

Enter configuration commands, one per line. End with CNTL/Z

host1/Admin(config)#

3. Configure an ACL to allow traffic to the ACE. You can modify the ACL to suit your application needs. For more infomation about configuring ACLs, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide

host1/Admin(config)# access-list ACL1 line 10 extended permit ip
any any

5. Configure a server farm to handle connections originating from the insecure side of the firewalls (Internet). The ACE selects a firewall based on source IP address using the hash address source predictor. For more information about configuring server farms, see Chapter 2, Configuring Real Servers and Server Farms.

11. Configure a Layer 3 policy map and associate the Layer 3 class map (FW-VIP) and the Layer 7 policy map (LB_FW_INSEC) with it to complete the load-balancing policy configuration.

host1/Admin(config)# policy-map multi-match POL_INSEC

host1/Admin(config-pmap)# class FW_VIP

host1/Admin(config-pmap-c)# loadbalance vip inservice

host1/Admin(config-pmap-c)# loadbalance policy LB_FW_INSEC

host1/Admin(config-pmap-c)# exit

host1/Admin(config-pmap)# exit

12. Configure an interface that the ACE uses to receive traffic from the Internet and load balance the traffic to the insecure side of the firewall. Apply the ACL (ACL1) and the Layer 3 policy (POL_INSEC) to the interface. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 100

host1/Admin(config-if)# ip address 100.100.1.100 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# service-policy input POL_INSEC

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# exit

13. Configure an interface on the insecure side of the firewalls that ACE A uses to load balance traffic to FW1 and to receive traffic that originates from the intranet. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 101

host1/Admin(config-if)# ip address 101.0.101.10 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# mac-sticky enable

host1/Admin(config-if)# service-policy input FORWARD_INSEC

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# exit

14. Configure an interface on the insecure side of the firewalls that ACE A uses to load balance traffic to FW2 and to receive traffic that originates from the intranet. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 102

host1/Admin(config-if)# ip address 101.0.102.20 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# mac-sticky enable

host1/Admin(config-if)# service-policy input FORWARD_INSEC

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# exit

15. Configure an interface on the insecure side of the firewalls that ACE A uses to load balance traffic to the FW3 and to receive traffic that originates from the intranet. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 103

host1/Admin(config-if)# ip address 101.0.103.30 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# mac-sticky enable

host1/Admin(config-if)# service-policy input FORWARD_INSEC

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# Ctrl-z

16. Use the following show commands to verify your FWLB configuration:

host1/Admin# show running-config access-list

host1/Admin# show running-config class-map

host1/Admin# show running-config interface

host1/Admin# show running-config policy-map

host1/Admin# show running-config rserver

host1/Admin# show running-config serverfarm

17. (Optional) Save your configuration changes to flash memory.

host1/Admin# copy running-config startup-config

Stealth FWLB Configuration Quick Start for ACE B

Table 6-4 provides a quick overview of the steps required to configure stealth FWLB on ACE B (secure side). Each step includes the CLI command required to complete the task.

Table 6-4 Stealth FWLB Configuration Quick Start for ACE B

Task and Command Example

1. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, change to, or directly log in to, the correct context.

host1/Admin# changeto C1

host1/C1#

The rest of the examples in this table use the Admin context, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

2. Enter configuration mode.

host1/Admin# config

Enter configuration commands, one per line. End with CNTL/Z

host1/Admin(config)#

3. Configure an ACL to allow traffic to the ACE. You can modify the ACL to suit your application needs. For more infomation about configuring ACLs, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

host1/Admin(config)# access-list ACL1 line 10 extended permit ip
any any

5. Configure a server farm to handle connections that originate from the secure side of the firewall (intranet). In this case, the ACE selects a firewall based on the destination IP address using the hash address destination predictor. This predictor allows the ACE to select the same firewall for return flows and buddy connections. For example, you want both the FTP control and data channels to pass through the same firewall. For more information about configuring server farms, see Chapter 2, Configuring Real Servers and Server Farms.

10. Configure a Layer 3 policy map and associate the Layer 3 class map (SEC_20_VS) and the Layer 7 policy map (SEC_20_LB) with it. This step completes the policy that load balances traffic to the HTTP servers on VLAN 20. For more information about configuring traffic policies for SLB, see Chapter 3, Configuring Traffic Policies for Server Load Balancing.

host1/Admin(config)# policy-map multi-match POL_SEC_20

host1/Admin(config-pmap)# class SEC_20_VS

host1/Admin(config-pmap-c)# loadbalance vip inservice

host1/Admin(config-pmap-c)# loadbalance policy SEC_20_LB

host1/Admin(config-pmap-c)# exit

host1/Admin(config-pmap)# exit

11. Configure a Layer 7 policy map to load balance requests that originate from either VLAN 200 or VLAN 20 and are destined for the Internet to the secure side of the firewalls on VLAN 201. For more information about configuring traffic policies for SLB, see Chapter 3, Configuring Traffic Policies for Server Load Balancing.

13. Configure a Layer 3 policy map and associate the Layer 7 policy map (LB_FW_SEC) and the Layer 3 class map (FW_SEC_VIP) with it. Enable the VIP for load balancing. This step completes the policy that load balances any request that originates on the secure side of the firewalls and destined for the Internet. For more information about configuring traffic policies for SLB, see Chapter 3, Configuring Traffic Policies for Server Load Balancing.

host1/Admin(config)# policy-map multi-match POL_SEC

host1/Admin(config-pmap)# class FW_SEC_VIP

host1/Admin(config-pmap-c)# loadbalance vip inservice

host1/Admin(config-pmap-c)# loadbalance policy LB_FW_SEC

host1/Admin(config-pmap-c)# exit

host1/Admin(config-pmap)# exit

14. Configure an interface on the secure side of the firewalls that the ACE uses to send traffic to FW1 from the intranet and to receive traffic that originates from the Internet and is passing through the firewall. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 201

host1/Admin(config-if)# ip address 101.0.201.10 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# mac-sticky enable

host1/Admin(config-if)# service-policy input POL_SEC_20

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# exit

15. Configure an interface on the secure side of the firewalls that the ACE uses to send traffic to FW2 from the intranet and to receive traffic that originates from the Internet and is passing through the firewall. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 202

host1/Admin(config-if)# ip address 101.0.202.20 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# mac-sticky enable

host1/Admin(config-if)# service-policy input POL_SEC_20

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# exit

16. Configure an interface on the insecure side of the firewall that the ACE uses to send traffic to FW3 from the intranet and to receive traffic that originates from the Internet and is passing through the firewall. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 203

host1/Admin(config-if)# ip address 101.0.203.30 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# mac-sticky enable

host1/Admin(config-if)# service-policy input POL_SEC_20

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# exit

17. Configure an interface that the ACE uses to receive traffic that originates from the remote host on VLAN 200 and is destined to the Internet. Apply the ACL (ACL1) and the Layer 3 policy map (POL_SEC) to the interface. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 200

host1/Admin(config-if)# ip address 200.1.1.200 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# service-policy input POL_SEC

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# exit

18. Configure an interface that the ACE uses to receive traffic that originates from the HTTP server farm on VLAN 20 and is destined to the Internet. Apply the ACL (ACL1) and the Layer 3 policy map (POL_SEC) to the interface. For more information about configuring interfaces, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide.

host1/Admin(config)# interface vlan 20

host1/Admin(config-if)# ip address 20.100.1.100 255.255.0.0

host1/Admin(config-if)# access-group input ACL1

host1/Admin(config-if)# service-policy input POL_SEC

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# Ctrl-z

19. Use the following show commands to verify your FWLB configuration:

host1/Admin# show running-config access-list

host1/Admin# show running-configclass-map

host1/Admin# show running-configinterface

host1/Admin# show running-config policy-map

host1/Admin# show running-configrserver

host1/Admin# show running-configserverfarm

20. (Optional) Save your configuration changes to flash memory.

host1/Admin# copy running-config startup-config

Displaying FWLB Configurations

You can display your entire running configuration by using the show running-config command in Exec mode. The syntax of this command is as follows:

show running-config

To display sections of the running-config that pertain to FWLB, use the following commands in Exec mode:

•show running-config access-list

•show running-config class-map

•show running-config interface

•show running-config policy-map

•show running-config rserver

•show running-config serverfarm

•show running-config service-policy

Firewall Load-Balancing Configuration Examples

This section provides examples of standard and stealth FWLB configurations. It contains the following topics:

Example of a Standard Firewall Load-Balancing Configuration

The following example shows those portions of the running configuration that pertain to standard FWLB. The configuration is based on two ACE appliances with the firewalls situated between them (see Figure 6-1). You can also configure standard FWLB using a single ACE.

ACE A Configuration—Standard Firewall Load Balancing

access-list ACL1 line 10 extended permit ip any any

rserver host FW_INSEC_1

ip address 100.101.1.1

inservice

rserver host FW_INSEC_2

ip address 100.101.1.2

inservice

rserver host FW_INSEC_3

ip address 100.101.1.3

inservice

serverfarm INSEC_SF

transparent

predictor hash address source 255.255.255.255

rserver FW_INSEC_1

inservice

rserver FW_INSEC_2

inservice

rserver FW_INSEC_3

inservice

class-map match-any FW_VIP

10 match virtual-address 200.1.1.1 255.255.0.0 any

policy-map type loadbalance first-match LB_FW_INSEC

class class-default

serverfarm INSEC_SF

policy-map multi-match POL_INSEC

class FW_VIP

loadbalance vip inservice

loadbalance policy LB_FW_INSEC

interface vlan 100

ip addr 100.100.1.100 255.255.0.0

access-group input ACL1

service-policy input POL_INSEC

no shutdown

interface vlan 101

ip addr 100.101.1.101 255.255.0.0

access-group input ACL1

mac-sticky enable

service-policy input POL_INSEC

no shutdown

ACE B Configuration—Standard Firewall Load Balancing

access-list ACL1 line 10 extended permit ip any any

rserver FW_SEC_1

ip address 100.201.1.1

inservice

rserver FW_SEC_2

ip address 100.201.1.2

inservice

rserver FW_SEC_3

ip address 100.201.1.3

inservice

rserver REAL1

ip address 20.1.1.1

inservice

rserver REAL2

ip address 20.1.1.2

inservice

rserver REAL3

ip address 20.1.1.3

inservice

serverfarm SEC_SF

predictor hash address destination 255.255.255.255

transparent

rserver FW_SEC_1

inservice

rserver FW_SEC_2

inservice

rserver FW_SEC_3

inservice

serverfarm SEC_20_SF

rserver REAL1

inservice

rserver REAL2

inservice

rserver REAL3

inservice

class-map match-any SEC_20_VS

10 match virtual-address 200.1.1.1 255.255.0.0 any

class-map match any FW_SEC_VIP

10 match virtual-address 0.0.0.0 0.0.0.0 any

policy-map type loadbalance first-match SEC_20_LB

class class-default

serverfarm SEC_20_SF

policy-map multi-match POL_SEC_20

class SEC_20_VS

loadbalance vip inservice

loadbalance policy SEC_20_LB

policy-map type loadbalance first-match LB_FW_SEC

class class-default

serverfarm SEC_SF

policy-map multi-match POL_SEC

class FW_SEC_VIP

loadbalance vip inservice

loadbalance policy LB_FW_SEC

interface vlan 201

ip address 100.201.1.201 255.255.0.0

access-group input ACL1

mac-sticky enable

service-policy input POL_SEC_20

no shutdown

interface vlan 20

ip address 20.1.1.20 255.255.0.0

access-group input ACL1

service-policy input POL_SEC

no shutdown

interface vlan 200

ip address 200.1.1.200 255.255.0.0

access-group input ACL1

service-policy input POL_SEC

no shutdown

Example of a Stealth Firewall Configuration

The following example shows those portions of the running configuration that pertain to stealth FWLB. This configuration requires two ACE appliances.